SVN Pristine Extractor

So, you're sat on a customer site, and nothing is going right: patching is up to date, passwords are all set to complex values, user input is validated, you have to wear a suit and even the coffee doesn't taste very nice.

Oh, but wait! That scan against the internal web server reveals that:

/.svn/wc.db: Subversion SQLite DB file may contain directory listing information.

This is a turn up for the books: a valid subversion archive that we can extract files from. A quick surf through the /.svn/entries file shows the crown jewels within easy reach: we can see web.config file, but the MIME types have been set up correctly so we cannot download them.

So, where can we go from here. With a bit of research we can see that the /.svn repository contains a directory called "pristine". The pristine directory contains the original versions of the files from the repository so that subversion can compare them to the current files. The files in the pristine directory are stored with a filename set to the checksum (usually SHA1) value of the file. This is useful if somebody has accidentally left their subversion check out directory on their web server as the resultant files will have no extension and can usually be downloaded, including the web.config and similar files.

So, if we can match the filename in the pristine directory to a real file name we can potentially download web.config and the source code. Fortunately we can grab the subversion database, which lists this in the nodes table. So a quick perl script later and we have a script which can extract the contents of a subversion check out directory. This one web server eventually got me domain admin in a real world test (with a few other misconfigurations).

The script can be found here. It has only been run against a few web servers, so could do with some extra testing.

To run just pass the web server on the command line and it will clone all nodes into /server


svnpristine can be downloaded from here: